Android Fails in Mobile Malware Research

There are many more malware-infected Android devices out there than you might think. It's all because the Android ecosystem and Google Play store are more friendly to malware and exploits than iOS and the Apple App Store or Windows 8, Windows Phone and the Windows Store. There's some, but not much reason, to think things will improve for Android in the near future.

The stand-out number in the research has to do with the extent of malware-tainted Android devices: "Our research has determined that out of the 300 million Android devices out there, the presence of malware has been discovered on about a million of them. That's a significant number." A million? I'd call that significant.

Trail of Bits conducted the research from December, 2011 to March, 2012. The base number of devices has undoubtedly grown quite a bit since. Has the number of malware-infected systems grown proportionately? Guido says that of course it has, and there's little reason to think otherwise.

First, about the attacks themselves. On Android attacks are almost all privilege escalation attacks using malicious apps that the user has installed deliberately, lured by a web site or an app in an app store. Trail of Bits followed 100 attack campaigns, 30 of which were on the Google Play store.

Privilege Escalation, in the context of mobile technology, is better-known as a "jailbreak." The program exploits a vulnerability in the operating system to change its own privilege level, allowing it to evade restrictions on lesser-privileged programs. Exploits are generally easier to write on Android than on Apple's iOS for a variety of reasons described by Trail of Bits.

Very few specific vulnerabilities were used in the malware found by Trail of Bits, and all of them had available patches. This raises one of the major problems with vulnerability mitigation in Android as opposed to iOS or Windows: Google relies on carriers and OEMs to distribute operating system version upgrades. Google can't force these companies to distribute new versions even if those new versions carry significant security improvements.

In fact, the carriers and OEMs have a strong incentive not to upgrade phones they have already sold: It gives buyers an incentive to buy a new phone because the new phones have all the improvements in the new operating systems, even if their older devices are capable of running the newer versions.

Samsung has acknowledged a serious vulnerability in the Android kernel for their Exynos processors in many of their phones, including the Samsung Galaxy S3. Click here to read more.

Users who want to upgrade their own phones can do so by rooting (the Android term for jailbreaking) them and installing a custom ROM from many sources, such as CyanogenMOD. But not many users have the patience or skills to do this.

Distribution of Android versions in installed devices based on the number of Android devices that have accessed Google Play within a 14-day period ending on December 3, 2012.

Another important tool for mitigating vulnerabilities is Google Chrome, the alternative browser available now on Android. The standard Android browser is not as advanced or secure as Chrome and, as of Version 4.1 (Jelly Bean), it is the default browser on Android.

These advances will make many classes of exploits much harder to execute, but not privilege escalation attacks. For now, the main way to stop them is by vetting them at the store or through reputation systems. Unfortunately, as Trail of Bits explains in depressing detail, the controls on app submissions to the Google Play store are as weak as Apple's are strong:

Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.